Electronic commerce (e-commerce) relates to the electronic performance of transactions for goods or services. One component of e-commerce application operation is security, particularly user security. Security enables a user of the e-commerce application to be authenticated and provided permission to invoke certain functions of the e-commerce application while preventing certain functions from invocation by users who cannot be authenticated or who do not have a required permission. One aspect of user security is identity management which distinguishes individual users and associates an individual user's identity with the user's requests and activities during an e-commerce session.
E-commerce applications are typically made available to users via a network such as the Internet at an Internet site or domain defined by one or more universal resource locators (URLs). Pages identified by URLs for the site may be browsed by a user with a client browsing application (web browser) that requests the pages from one or more servers hosting the site. E-commerce functions may be invoked by the user to initiate and conclude e-commerce transactions via the web browser.
Browsing purely in accordance with the hyper text transfer protocol (HTTP) of the Internet is stateless: a previous user request to a site has no bearing on a current user request to the site. To maintain a state between an HTTP client and a server, a piece of data known as a cookie is used. The cookie is issued by the server to the client. To identify itself to the server on a subsequent request, the client browsing application submits the cookie as part of a subsequent request header. From information in the cookie the server can identify the client, thus maintaining a state across requests.
Cookies are a popular means of managing user sessions in e-commerce sites. When a user visits a site or authenticates to a site, a cookie is issued to the user to identify the user to the site for the life of the user's session (e.g. until the user closes the web browser or invokes a logoff function on the site).
Within an Internet domain, one or more security domains may be defined using a collection of related URLs and a user may be assigned the same privileges throughout a particular security domain. For the Internet domain shop.ibm.com, the following is an example of two security domains, one for each of store A and store B and where ... represents any string of characters like a wildcard placeholder:
i) URLs matching the pattern http://shop.ibm.com/...?...&storeId=A&...
ii) URLs matching the pattern http://shop.ibm.com/...?...&storeId=B&...
One or more security domains may be used to define an e-commerce shopping mall, e-commerce hosting site, e-commerce marketplace, or other place where online business is conducted. The aggregation of all the security domains in an e-commerce site is called the composite security domain.
In e-commerce sites that are executed on a single e-commerce application, a user's session is only associated with a single user identity for the composite security domain. Acting under a single identity across security domains may not be desired. There may be requirements to associate an individual user with one or more separate identities within each security domain or subset of security domains that form a composite domain. For example, if a user is browsing two independent stores at an Internet site and has added items to the user's shopping cart in both stores, it may be desired that the business logic of the e-commerce application only displays the shopping cart associated with the one store that the user is currently browsing. If the user wants to be treated under a common identity in two hosted stores but a different identity under a third store, the business logic to achieve this result is very complicated.
Gathering statistics of user activities at a particular store is much easier to perform with user identities that are only associated with the particular store than with user identities that are associated with multiple hosted stores. Merchants choosing to have their store in a hosted shopping mall often do so for reasons of affordability, sharing processing resources with other                merchants to reduce costs. One consequence is that these merchants share their user's customer accounts among all the stores in the shopping mall. If a hosted store desires to move to its own e-commerce site, migration of customer accounts, including individual shopping carts and orders, may be very difficult or costly if the accounts and carts are shared with other stores.        
As such, an identity management architecture which addresses some or all of these shortcomings is desired.